This specification generally relates to detecting and managing abnormal data behavior.
In corporate and other networks, computers connected to an internal network may send data to destinations connected to wider, public networks such as the Internet. In such a configuration, data loss may occur when data is transferred from the computers to an unauthorized destination. For example, malicious code may be installed on a computer and used to send data originating within the network over the public network to a remote, and sometimes undesirable, destination. In some cases, the data may be encrypted prior to sending, making it difficult or impossible to examine the contents of the data as it is being transmitted.